## Patents

 Publication number US8027467 B2 Publication type Grant Application number US 12/370,463 Publication date Sep 27, 2011 Filing date Feb 12, 2009 Priority date Dec 4, 2002 Fee status Paid Also published as Publication number 12370463, 370463, US 8027467 B2, US 8027467B2, US-B2-8027467, US8027467 B2, US8027467B2 Inventors Original Assignee Wired Connections Llc Export Citation Patent Citations (20), Non-Patent Citations (41), Classifications (7), Legal Events (4) External Links:
Method for elliptic curve point multiplication
US 8027467 B2
Abstract
An elliptic curve multiplication method comprises three stages. In the first stage, randomly selected point representations are stored in variables. In the second stage, a right-to-left loop is executed that modifies the variable values in dependency of a multiplier. In the last stage, the result is calculated from the modified variable values.
Images(12)
Claims(20)
1. A method of performing an elliptic curve point multiplication eP using a cryptographic processing device, wherein e is an integer and P is a point on an elliptic curve, and wherein values of variables Ab and b are stored on the cryptographic processing device, the method comprising:
modifying the values of the variables Ab stored on the cryptographic processing device in dependency of digits bi such that the sum of the points 2Wi P over those indexes i for which bi=b holds is added to each variable and Ab; and
calculating the sum
$∑ b ∈ B bA b$
by using the modified values of the variables Ab, wherein B is a set of integers, and wherein the values of variables Ab and b were previously determined during an initialization of the cryptographic processing device by:
representing the multiplier e in the form
$e = ∑ 0 ≤ i ≤ l b i 2 wi$
using digits bi εB where w and l are integers;
assigning randomly selected point representations to variables Ab for at least one but not all b εB, such that none of the selected point representations is a point at infinity; and
assigning point representations to variables Ab for all values of b for which randomly selected point representations were not assigned so that the sum
$∑ b ∈ B bA b$
is the point at infinity.
2. The method or claim 1, wherein the cryptographic processing device further comprises a smart card.
3. The method of claim 1, wherein the modifying comprises computing the values 2wi P in succession for i=0, . . . ,l and for each i the respective value is added to variable Abi.
4. The method of claim 1, wherein l εB, and wherein the assigning randomly selected point representations comprises assigning random points to the variable Ab with b εB−{1} and the negative of the value of the sum
$∑ b ∈ B - { 1 } bA b$
is assigned to A1.
5. The method of claim 4, wherein the points in Ab are described in projective coordinates, and wherein the assigning randomly selected point representations comprises randomizing the projective representation of the variables Ab with b εB−{1}.
6. A cryptographic processing device for performing an elliptic curve point multiplication eP, wherein e is an integer and P is a point on an elliptic curve, the device comprising:
a reader configured to read values of variables Ab and b stored on the cryptographic processing device, and
a processor configured to complete the elliptic curve point multiplication by:
modifying the values of the variables Ab stored on the cryptographic processing device in dependency of digits bi such that the sum of the points 2wi P over those indexes i for which bi=b holds is added to each variable Ab, and
calculating the sum
$∑ b ∈ B bA b$
by using the modified values of the variables Ab, wherein B is a set or integers, and wherein the values of variables Ab and b were previously determined during the initialization of the cryptographic processing device by:
representing the multiplier e in the form
$e = ∑ 0 ≤ i ≤ l b i 2 wi$
using digits bi εB where w and l are integers;
assigning randomly selected point representations to variables Ab for at least one but not all b εB, such that none of the selected point representations is a point at infinity; and
assigning point representations to variables Ab for all values of b for which randomly selected point representations were not assigned so that the sum
$∑ b ∈ B bA b$
is the point at infinity.
7. A non-transitory computer-readable medium having instructions stored thereon that, if executed by a cryptographic processing device, cause the cryptographic processing device to perform operations comprising:
modifying values of variables Ab in dependency of digits bi such that the sum of the points 2wi P over those indexes i for which bi=b holds is added to each variable Ab, wherein the variables Ab and b are associated with an elliptic curve point multiplication eP, where e is an integer and P is a point on an elliptic curve; and
calculating the sum
$∑ b ∈ B bA b$
by using the modified values of the variables Ab, wherein B is a set of integers, wherein the values of variables Ab and b were previously determined during an initialization of the cryptographic processing device by:
representing the multiplier e in the form
$e = ∑ 0 ≤ i ≤ l b i 2 wi$
using digits bi εB where w and l are integers;
assigning randomly selected point representations to variables Ab for at least one but not all b εB, such that none of the selected point representations is a point at infinity; and
assigning point representations to variables Ab for all values of b for which randomly selected point representations were not assigned so that the sum
$∑ b ∈ B bA b$
is the point at infinity.
8. A method of performing an elliptic curve point multiplication eP using a cryptographic processing device, wherein e is an integer and P is a point on an elliptic curve, and wherein values of variables Ab, b and Q are stored on the cryptographic processing device, the method comprising:
modifying the values of the variables Ab stored on the cryptographic processing device in dependency of digits bi such that the sum of the points 2wi P over those indexes i for which bi=b holds is added to each variable Ab; and
calculating the sum
$∑ b ∈ B bA b$
by using the modified values of Ab, and subtracting from it the variable Q stored on the cryptographic processing device, wherein B is a set of integers, and wherein the values of variables Ab, b and Q were previously determined during the initialization of the cryptographic processing device by:
representing the multiplier e in the form
$∑ 0 ≤ i ≤ l b i 2 wi$
by using digits bi εB where w and l are integers;
assigning randomly selected point representations to variables Ab, for each b=B, such that none of the selected point representations is a point at infinity; and
computing the sum
$∑ b ∈ B bA b$
and storing it in the variable Q.
9. The method of claim 8, wherein the cryptographic processing device further comprises a smart card.
10. The method of claim 8, wherein modifying the values of the variables Ab comprises computing the values 2wi P in succession for i=0, . . . ,l and for each i the respective value is added to variable Abi if bi ≧ 0 and subtracted from variable A −bi if bi <0.
11. A cryptographic processing device for performing an elliptic curve point multiplication eP, wherein e is an integer and P is a point on an elliptic curve, the device comprising:
a reader configured to read values of variables Ab, b and Q stored on the cryptographic processing device; and
a processor configured to complete the elliptic curve point multiplication by:
modifying the values of the variables Ab stored on the cryptographic processing device in dependency of digits bi such that the sum of the points 2wi P over those indexes i for which bi=b holds is added to each variable Ab, and calculating the sum
$∑ b ∈ B bA b$
by using the modified values of Ab and subtracting from it the variable Q stored on the cryptographic processing device, wherein B is a set of integers, and wherein the values of variables Ab b and Q were previously determined during the initialization of the cryptographic processing device by:
representing the multiplier e in the form
$∑ 0 ≤ i ≤ l b i 2 wi$
by using digits bi εB where w and l are integers;
assigning randomly selected point representations to variables Ab for each bi εB, such that none of the selected point representations is a point at infinity; and
computing the
$∑ b ∈ B bA b$
and storing it in the variable Q.
12. A non-transitory computer-readable medium having instructions stored thereon that, if executed by a cryptographic processing device, cause the cryptographic processing device to perform operations comprising:
modifying válues of variables Ab in dependency of digits bi such that the sum of the points 2wi P over those indexes i for which bi=b holds is added to each variable Ab; and
calculating the sum
$∑ b ∈ B bA b$
by using the modified values of Ab, and subtracting from it a variable Q stored on the cryptographic processing device, wherein B is a set of integers, wherein the variables Ab, b and Q are associated with an elliptic curve point multiplication eP, where e is an integer and P is a point on an elliptic curve, and wherein the values of variables Ab, b and Q were previously determined during the initialization of the cryptographic processing device by:
representing the multiplier e in the form
$∑ 0 ≤ i ≤ l b i 2 wi$
by using digits bi εB where w and l are integers;
assigning randomly selected point representations to variables Ab for each b εB, such that none of the selected point representations is a point at infinity; and
comprising the sum
$∑ b ∈ B bA b$
and storing it in the variable Q.
13. A method of performing an elliptic curve point multiplication eP using a cryptographic processing device, wherein e is an integer and P is a point on an elliptic curve, and wherein values of variables Ab and b are stored on the cryptographic processing device, the method comprising:
modifying the values of the variables Ab, stored on the cryptographic processing device in dependency of digits bi such that the sum of the points 2wi P over those indexes i for which bi=b holds minus the sum of the points 2wi P over those negative indexes i for which bi=−b holds is added to each variable Ab with b εB′, wherein B is a set of integers and B′ denotes, the set of absolute values of the integers in set B; and
calculating the sum
$∑ b ∈ B ′ bA b$
by using the modified values of the variables Ab, wherein the values of variables Ab and b were previously determined during an initialization of the cryptographic processing device by:
representing the multiplier e in the form
$∑ 0 ≤ i ≤ l b i 2 wi$
using digits b εB where w and l are integers;
assigning randomly selected point representations to variables Ab for at least one but not all b εB′, such that none of the selected point representations is a point at infinity; and
assigning point representations to variables Ab for all values of b for which randomly selected point representations were not assigned so that the sum
$∑ b ∈ B ′ bA b$
is the point at infinity.
14. The method of claim 13, wherein the cryptographic processing device further comprises a smart card.
15. A cryptographic processing device for performing an elliptic curve point multiplication eP, wherein e is an integer and P is a point on an elliptic curve, the device comprising:
a reader configured to read values of variables Ab and b stored on the cryptographic processing device; and
a processor configured to complete the elliptic curve point multiplication by:
modifying the values of the variables Ab stored on the cryptographic processing device in dependency of digits bi such that the sum of the points 2wi P over those indexes i for which bi=b holds minus the sum of the points 2wi P over those negative indexes i for which bi=−b holds is added to each variable Ab with b εB′; wherein B is a set of integers and B′ denotes the set of absolute values of the integers in set B, and
calculating the sum
$∑ b ∈ B ′ bA b$
by using the modified values of the variables Ab, wherein the values of variables Ab and b were previously determined during the initialization of the cryptographic processing device by:
representing the multiplier e in the form
$∑ 0 ≤ i ≤ l b i 2 wi$
using digits b εB where w and l are integers;
assigning randomly selected point representations to variables Ab for at least one but not all b εB′, such that none of the selected point representations is a point at infinity; and
assigning point representations to variables Ab for all values of b for which randomly selected point representations were not assigned so that the sum
$∑ b ∈ B ′ bA b$
is the point at infinity,
16. A non-transitory computer-readable medium having instructions stored thereon that, if executed by a cryptographic processing device, cause the cryptographic processing device to perform operations comprising:
modifying values of variables Ab in dependency of digits bi such that the sure of the points 2wi P over those indexes i for which bi=b holds minus the sum of the points 2wi P over those negative indexes i for which bi=−b holds is added to each variable Ab with b εB′, wherein B is a set of integers and B′ denotes the set of absolute values of the integers inset B, wherein variables Ab and b are associated with an elliptic curve point multiplication eP, where e is an integer and P is a point on an elliptic curve; and
calculating the sum
$∑ b ∈ B ′ bA b$
by using the modified values of the variables Ab, wherein the values of variables Ab and b were previously determined during an initialization of the cryptographic processing device by:
representing the multiplier e in the form
$∑ 0 ≤ i ≤ l b i 2 wi$
using digits b εB where w and l are integers;
assigning randomly selected point representations to variables Ab for at least one but not all b εB′, such that none of the selected point representations is a point at infinity; and
assigning point representations to variables Ab for all values of b for which randomly selected point representations were not assigned so that the sum
$∑ b ∈ B ′ bA b$
is the point at infinity.
17. A method of performing an elliptic curve point multiplication eP using a cryptographic processing device, wherein e is an integer and P is a point on an elliptic curve, and wherein values of variables Ab, b and Q are stored on the cryptographic processing device, the method comprising:
modifying the values of the variables Ab stored on the cryptographic processing device in dependency of digits bi such that the sum of the points 2wi P over those indexes i for which bi=b holds minus the sum of the points 2wi P over those negative indexes i for which bi=−b holds is added to each variable Ab with b εB′, wherein B is a set of integers and B′ denotes the set of absolute values of the integers in set B; and
calculating the sum
$∑ b ∈ B ′ bA b$
by using the modified values of Ab, and subtracting from it the variable Q stored on the cryptographic processing device, wherein the values of variables Ab, b and Q were previously determined during the initialization of the cryptographic processing device by:
representing the multiplier e in the form
$∑ 0 ≤ i ≤ l b i 2 wi$
by using digits bi, εB where w and l are integers;
assigning randomly selected point representations to variables Ab for each b εB′, such that none of the selected point representations is a point at infinity; and
computing the sum
$∑ b ∈ B bA b$
and storing it in a variable Q.
18. The method of claim 17, wherein the cryptographic processing device further comprises a smart card.
19. A cryptographic processing device for performing an elliptic curve point multiplication eP, wherein e is an integer and P is a point on an elliptic curve, the device comprising:
a reader configured to read values of variables Ab, b and Q stored on the cryptographic processing device; and
a processor configured to complete the elliptic curve point multiplication by:
modifying the values of the variables Ab in dependency of digits bi such that the sum of the points 2wi P over those indexes i for which bi=b holds minus the sum of the points 2wi P over those negative indexes i for which bi=−b holds is added to each variable Ab with b εB′, wherein B is a set of integers and B′ denotes the set of absolute values of the integers in set B, and
calculating the sum
$∑ b ∈ B ′ bA b$
by using the moainea values of Ab and subtracting from it the variable Q stored on the cryptographic processing device, wherein the values of variables Ab, b and Q were previously determined during the initialization of the cryptographic processing device by:
representing the multiplier e in the form
$∑ 0 ≤ i ≤ l b i 2 wi$
by using digits bi, εb where w and l are integers;
assigning randomly selected point representations to variables Ab for each b εB′, such that none of the selected point representations is a point at infinity; and
computing the sum
$∑ b ∈ B bA b$
and storing it in a variable Q.
20. A non-transitory computer-readable medium having instructions stored thereon that, if executed by a cryptographic processing device, cause the cryptographic processing device to perform operations comprising:
modifying values of variables Ab in dependency of digits bi such that the sum of the points 2wi P over those indexes i for which bi=−b holds minus the sum of the points 2wi P over those negative indexes i for which bi=−b holds is added to each variable Ab with b εB ′, wherein B is a set of integers and B ′ denotes the set of absolute values of the integers in set B; and
calculating the sum
$∑ b ∈ B ′ bA b$
by using the modified values of Ab, and subtracting from it a variable Q stored on the cryptographic processing device, wherein the variables Ab, b, and Q are associated with an elliptic curve point multiplication eP, where e is an integer and P is a point on an elliptic curve, and wherein the values of variables Ab, b and Q were previously determined during the initialization of the cryptographic processing device by:
representing the multiplier e in the form
$∑ 0 ≤ i ≤ l b i 2 w i$
by using digits bi, εB where w and l are integers;
assigning randomly selected point representations to variables Ab for each b εB′, such that none of the selected point representations is a point at infinity; and
computing the sum
$∑ b ∈ B bA b$
and storing it in a variable Q.
Description
CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No. 10/310,735 filed Dec. 4, 2002 which is herein incorporated by reference in its entirety.

TECHNICAL FIELD

The invention describes an elliptic curve point multiplication method with resistance against side-channel attacks, which are a big threat for use in cryptography, e.g. for key exchange, encryption, or for digital signatures.

BACKGROUND

Implementations of elliptic curve cryptosystems may be vulnerable to side-channel attacks ([1], [2]) where adversaries can use power consumption measurements or similar observations to derive information on secret scalars e in point multiplications eP.

One distinguishes between differential side-channel attacks, which require correlated measurements from multiple point multiplications, and simple side-channel attacks, which directly interpret data obtained during a single point multiplication. Randomization can be used as a countermeasure against differential side-channel attacks.

In particular, for elliptic curve cryptography, projective randomization is a simple and effective tool ([3]):

If (X, Y, Z) represents the point whose affine coordinates are (X/Z2, Y/Z.3) another representation of the same point that cannot be predicted by the adversary is obtained by substituting (r2X, r3Y, rZ) with a randomly chosen secret non-zero field element r. (When starting from an affine representation (X,Y), this simplifies to (r2X, r3Y, r).)

Simple side-channel attacks can be easily performed because usually the attacker can tell apart point doublings from general point additions.

Thus point multiplication should be implemented using a fixed sequence of point operations that does not depend on the particular scalar.

Note that it is reasonable to assume that point addition and point subtraction are uniform to the attacker as point inversion is nearly immediate (dummy inversions can be inserted to obtain the same sequence of operations for point additions as for point subtractions).

Various point multiplication methods have been proposed that use an alternating sequence of doublings and additions:

The simplest approach uses a binary point multiplication method with dummy additions inserted to avoid dependencies on scalar bits ([3]); however as noted in [4] it may be easy for adversaries to determine which additions are dummy operations, so it is not clear that this method provides sufficient security. For odd scalars, a variant of binary point multiplication can be used where the scalar is represented in balanced binary representation (digits −1 and +1) ([5]). Also Montgomery's binary point multiplication method ([6]), which maintains an invariant Q1−Qo=P while computing eP using two variables Qo, Q1, can be adapted for implementing point multiplication with a fixed sequence of point operations ([7], [8], [9], [10], [11]).

With this approach, specific techniques can be used to speed up point arithmetic:

The doubling and addition steps can be combined; y-coordinates of points may be omitted during the computation ([6], [9], [10], [11]); and on suitable hardware, parallel execution can be conveniently used for improved efficiency ([10], [11]).

All of the above point multiplication methods are binary. Given sufficient memory, efficiency can be improved by using 2w-ary point multiplication methods. Here, the scalar e is represented in base 2w using digits bi from some digit set B:

$e = ∑ 0 ≤ i ≤ l b i 2 wi$

A simple way to obtain a uniform sequence of doublings and additions (namely, one addition after w doublings in the main loop of the point multiplication algorithm) is to use 2w-ary point multiplication as usual (first compute and store bP for each bεB, then compute eP using this precomputed table), but to insert a dummy addition whenever a zero digit is encountered.

However, as noted above for the binary case, the dummy addition approach may not be secure.

This problem can be avoided (given w≧2) by using a representation of e without digit value 0, such as
B={−2w, 1, 2, . . . , 2w−1}
as proposed in [4], or
B={−2w, ±1,±2, . . . , ±(2w−2),2w−1}
for improved efficiency as proposed in [12].

A remaining problem in the method of [4] and [12] is that the use of a fixed table may allow for statistical attacks: If the same point from the table is used in a point addition whenever the same digit value occurs, this may help adversaries to find out which of the digits b1, have the same value (cf. the attacks on modular exponentiation using fixed tables in [13] and [14]).

This problem can be countered by performing, whenever the table is accessed, a projective randomization of the table value that has been used.

This will avoid a fixed table, but at the price of reduced efficiency.

SUMMARY

This invention is a variant of 2w-ary point multiplication with resistance against side-channel attacks that avoids a fixed table without requiring frequently repeated projective randomization.

An additional advantage of the new method is that it is easily parallelizable on two-processor systems. One essential change in strategy compared with earlier methods for side-channel attack resistant point multiplication is the use of a right-to-left method (the scalar is processed starting at the least significant digit, cf. [15]) whereas the conventional methods work in a left-to-right fashion.

The method works in three stages, which are called initialization stage, right-to-left stage, and result stage.

First there will be a high-level view of these stages before they are discussed in detail.

The method for computing eP is parameterized by an integer w≧2 and a digit set B consisting of 2w integers of small absolute value such that every positive scalar e can be represented in the form

$e = ∑ 0 ≤ i ≤ l bi 2 wi$

using digits biεB; for example
B={0, 1, . . . , 2w−1}

or
B={−2w−1, . . . , 2w−1−1}

A representation of e using the latter digit set can be easily determined on the fly when scanning the binary digits of e in right-to-left direction.

If e is at most n bits long (i.e. 0<e<2n), l=└n/w┘. is sufficient.

Let B′ denote the set {|b∥bεB} of absolute values of digits, which has at least 2(w−1)+1 and at most 2w elements. The point multiplication method uses # (B)+1 variables for storing points on the elliptic curve in projective representation: Namely, one variable Ab for each bεB′, and one additional variable Q.

Let Ab init denote the value of Ab at the end of the initialization stage, and let Ab sum denote the value of Ab at the end of the right-to-left stage. The initialization stage sets up the variables Ab(bεB′) in a randomized way such that Ab init≠0 for each b, but

$∑ b ∈ B ′ bA b init = 0$

(O Denotes the Point at Infinity, the Neutral Element of the Elliptic Curve Group.)

Then the right-to-left stage performs computations depending on P and the digits bi, yielding new values Ab sum of the variables Ab satisfying

$A b sum = A b init + ∑ 0 ≤ i ≤ l b i = b 2 wt p - ∑ 0 ≤ i ≤ l b i = - b 2 wt pi$

for each bεB′. Finally, the result stage computes

$∑ b ∈ B ′ - { 0 } bA b sum ,$

which yields the final result eP because

$∑ b ∈ B ′ - { 0 } bA b sum = ∑ b ∈ B ′ - { 0 } bA b init ︸ 0 + ∑ b ∈ B ′ - { 0 } b ( ∑ 0 ≤ i ≤ l b i = b 2 wi P - ∑ 0 ≤ i ≤ l b i = - b 2 wi P ) = ∑ 0 ≤ i ≤ l b 1 2 wi P = eP$

The point multiplication method is a signed-digit variant of Yao's right-to-left method [15](see also [16, exercise 4.6.3-9]) and [17, exercise 4.6.3-9]) and [18]) with two essential modifications for achieving resistance against side-channel attacks: The randomized initialization stage is different; and in the right-to-left stage, the digit 0 is treated like any other digit.

In the following the three stages are discussed in detail describing possible implementations.

The initialization stage can be implemented as follows:

• 1. For each bεB′−{1}, generate a random point on the elliptic curve and store it in variable Ab.
• 2. Compute the point −

$∑ b ∈ B ′ - { 0 , 1 } bA b$
and store it in variable Ai.

• 3. For each bεB′, perform a projective randomization of variable Ab init.

The resulting values of the variables Ab are denoted by Ab init.

If the elliptic curve is fixed, precomputation can be used to speed up the initialization stage:

The steps 1 and 2 should be run just once, e.g. during personalization of a smart card, and the resulting intermediate values Ab stored for future use.

These values are denoted by Ab fix. Then only step 3 (projective randomization of the values Ab fix to obtain new representations Ab init) has to be performed anew each time the initialization stage is called for. The points Ab fix must not be revealed; they should be protected like secret keys.

Generating a random point on an elliptic curve is straightforward. For each element X of the underlying field, there are zero, one or two values Y such that (X,Y) is the affine representation of a point on the elliptic curve.

Given a random candidate value X, it is possible to compute an appropriate Y if one exists; the probability for this is approximately ½ by Hasse's theorem.

If there is no appropriate Y, one can simply start again with a new X.

Computing an appropriate Y given X involves solving a quadratic equation, which usually (depending on the underlying field) is computationally expensive.

This makes it worthwhile to use precomputation as explained above.

It is also possible to reuse the values that have remained in the variables Ab,b≠1, after a previous computation, and start at step 2 of the initialization stage.

To determine −

$∑ b ∈ B ′ - { 0 , 1 } bA b$
in step 2, it is not necessary to compute all the individual products bAb.

The following Algorithm can be used instead to set up A1 appropriately if B′={0, 1, . . . , β}, β≧2. (Note that both loops will be skipped in the case β=2.)

 $Algorithm 1 Compute A 1 ← - ∑ b ∈ { 2 , , β } bA b in the initialisation stage$ for i = β − 1 down to 2 do Ai ← Ai + Ai+1 A1 ← 2A2 for i = 2 to β − 1do Ai ← Ai − Al+1 A1 ← A1 + Al+1 A1 ← − A1

This algorithm takes one point doubling and 3β−6 point additions.

When it has finished, the variables Ab for 1<b<β will contain modified values, but these are representations of the points originally stored in the respective variables.

If sufficient memory is available, a faster algorithm can be used to compute A1 without intermediate modification of the variables Ab for b>1 (use additional variables Qb instead; a possible additional improvement can be achieved if point doublings are faster than point additions).

The projective randomization of the variables Ab (bεB′) in step 3 has the purpose to prevent adversaries from correlating observations from the computation of A1 in the initialization stage with observations from the following right-to-left stage. If algorithm 1 has been used to compute A1 and the points are not reused for multiple invocations of the initialization stage, then no explicit projective randomization of the variables Ab for 1<b<β is necessary; and if β>2 no explicit projective randomization of A1 is necessary:

The variables have automatically been converted into new representations by the point additions used to determine their final values.

The following implements the right-to-left stage using a uniform pattern of point doublings and point additions.

Initially, for each b, variable Ab contains the value Ab init; the final value is denoted by Ab sum.

 Algorithm 2 Right-to-left stage Q ← P for i = 0 to l do if bi ≧ 0 then Ab i ← Ab i + Q else A|b i | ← A|b i | − Q Q ← 2w Q

Due to special cases that must be handled in the point addition algorithm ([19]), uniformity of this algorithm is violated if A|b i | is a projective representation of ±Q; the randomization in the initialization stage ensures that the probability of this is negligible.

(This is why in the section, where the initialization stage is described, it is required that precomputed values Ab fix be kept secret.)

If B contains no negative digits, the corresponding branch in the algorithm can be omitted.

The obvious way to implement Q←2wQ in this algorithm is w-fold iteration of the statement Q←2Q, but depending on the elliptic curve, more efficient specific algorithms for w-fold point doubling may be available (see [20]).

In the final iteration of the loop, the assignment to Q may be skipped (the value Q is not used after the right-to-left stage has finished).

With this modification, the algorithm uses lw point doublings and l+1 point additions. Observe that on two-processor systems the point addition and the w-fold point doubling in the body of the loop may be performed in parallel: Neither operations depends on the other's result.

Similarly to the computation of A1 in the initialization stage, the result stage computation

$∑ b ∈ B ′ - { 0 } bA b sum$

can be performed without computing all the individual products bAb sum. In the result stage, it is not necessary to preserve the original values of the variables Ab, so the following algorithm (from [16, answer to exercise 4.6.3-9]) can be used if B′={0, 1, . . . , β} when initially each variable Ab contains the value Ab sum.

 $Algorithm 3 Compute ∑ b ∈ { 1 , , β } bA b sum when initially A b = A b sum$ for i = β − 1 down to 1 do Ai ← Ai = Ai+1 for i = 2 to β do A1 ← A1 + Ai return A1

This algorithm uses 2β−2 point additions. Elliptic curve point arithmetic usually has the property that point doublings are faster than point additions. Then the variant described in the following algorithm is advantageous.

 $Algorithm 4 Compute ∑ b ∈ { 1 , … , β } bA b sum$ $when initially A b = A b sum ( variant )$ for i = β down to 1 do if 2i ≦ β then Ai ← Ai + A2i if i is even then if i < β then Ai ← Ai + Ai+1 Ai ← 2Ai else if i > l then A1 ← A1 + Ai return Al

This algorithm uses └β/2┘ point doublings and 2β−2−└β/2┘ point additions.

Patent Citations
Cited PatentFiling datePublication dateApplicantTitle
US4179586 *Aug 2, 1972Dec 18, 1979The United States Of America As Represented By The Secretary Of The ArmySystem of encoded speech transmission and reception
US5497423 *Jun 20, 1994Mar 5, 1996Matsushita Electric Industrial Co., Ltd.Method of implementing elliptic curve cryptosystems in digital signatures or verification and privacy communication
US6631471Dec 10, 1999Oct 7, 2003Hitachi, Ltd.Information processing equipment
US6778666 *Mar 15, 1999Aug 17, 2004Lg Electronics Inc.Cryptographic method using construction of elliptic curve cryptosystem
US6956946 *Aug 18, 2000Oct 18, 2005Infineon Technologies AgMethod and device for cryptographic processing with the aid of an elliptic curve on a computer
US7177422 *Apr 24, 2002Feb 13, 2007Sony CorporationElliptic curve encryption processing method, elliptic curve encryption processing apparatus, and program
US20010048741Mar 20, 2001Dec 6, 2001Katsuyuki OkeyaMethod of calculating multiplication by scalars on an elliptic curve and apparatus using same and recording medium
US20020178371 *Dec 19, 2001Nov 28, 2002Hitachi, Ltd.Attack-resistant implementation method
US20030194086Apr 11, 2002Oct 16, 2003Lambert Robert J.Method for strengthening the implementation of ECDSA against power analysis
US20070177721 *Nov 15, 2005Aug 2, 2007Fujitsu LimitedTamper-proof elliptic encryption with private key
US20090147948 *Feb 12, 2009Jun 11, 2009Wired Connection LlcMethod for Elliptic Curve Point Multiplication
US20100215174 *May 5, 2010Aug 26, 2010General Dynamics C4 Systems, Inc.Reliable elliptic curve cryptography computation
EP0924895A2Dec 16, 1998Jun 23, 1999Nippon Telegraph and Telephone CorporationEncryption and decryption devices for public-key cryptosystems and recording medium with their processing programs recorded thereon
EP1014617A2Dec 21, 1999Jun 28, 2000Hitachi, Ltd.Method and apparatus for elliptic curve cryptography and recording medium therefor
EP1160661A2Mar 20, 2001Dec 5, 2001Hitachi, Ltd.Method of calculating multiplication by scalars on an elliptic curve and apparatus using same
FR2810821A1 Title not available
JP2000187438A Title not available
WO2000005837A1Jul 21, 1999Feb 3, 2000Certicom Corp.Timing attack resistant cryptographic system
WO2000025204A1Oct 5, 1999May 4, 2000Certicom Corp.Power signature attack resistant cryptography
WO2002054343A1Dec 21, 2001Jul 11, 2002GemplusMethod for protection against power analysis or electromagnetic radiation analysis attacks
Non-Patent Citations
Reference
1"An Implementation of Elliptic Curve Cryptosystem over F 2 155," G.B. Agnew Vansone, IEEE JSAC, No. 5, Jun. 1993.
2Brickell et al., "Fast exponentiation with precomputation (extended abstract)," Advances in Cryptology-Eurocrypt '92 (1993), R.A. Rueppel, Ed., vol. 658 of Lecture Notes in Computer Science, p. 200-207.
3Brickell et al., "Fast exponentiation with precomputation (extended abstract)," Advances in Cryptology—Eurocrypt '92 (1993), R.A. Rueppel, Ed., vol. 658 of Lecture Notes in Computer Science, p. 200-207.
4Brier et al., "Weierstrabeta elliptic curves and side-channel attacks," Public Key Cryptography-PKC 2002 (2002), D. Naccache and P. Paillier, Eds., vol. 2274 of Lecture Notes in Computer Science, p. 335-345.
5Brier et al., "Weierstraβ elliptic curves and side-channel attacks," Public Key Cryptography—PKC 2002 (2002), D. Naccache and P. Paillier, Eds., vol. 2274 of Lecture Notes in Computer Science, p. 335-345.
6Coron, J.S., "Resistance against differential power analysis for elliptic curve cryptosystems," Cryptographic Hardware and Embedded Systems-Ches '99 (1999), C.K. Koc and C. Paar, Eds., vol. 1717 of Lecture Notes in Computer Sience, p. 292-302.
7Coron, J.S., "Resistance against differential power analysis for elliptic curve cryptosystems," Cryptographic Hardware and Embedded Systems—Ches '99 (1999), C.K. Koc and C. Paar, Eds., vol. 1717 of Lecture Notes in Computer Sience, p. 292-302.
8Fishcer et al., "Parallel scalar multiplication on general elliptic curves or Fp hedged against non-differential side-channel attacks," Cryptology ePrint Archive Report 2002/007, 2002, Available from http://eprint.iacr.org/.
9Goubin, L., "A Refined Power-AnalysisAttack on Elliptic Curve Crytosystems," Y.G. Desmedt (Ed.): PKO 2003, LNCS 2567, p. 199-211, Springer-Berlag Berlin Heidelberg 2003.
10Hasan, M.A., "Power analysis attacks and algorithic approached to their countermeasures for Koblitz curve cryptosystems," IEEE Explore, 2001, 50(10), p. 1071-1083.
11Institute of Electrical and Electronics Engineers (IEEE). IEEE standard specifications for public-key cryptography. IEEE Std 1363-2000, 2000.
12Itch et al., "Fast implementation of public-key crytptography on a DSP TMS320C6201," Crytographic Hardware and Embedded Systems-Ches '99 (1999), C.K. Kock and C. Paar, Eds., vol. 1717 of Lecture Noges in Computer Science, p. 61-72.
13Itch et al., "Fast implementation of public-key crytptography on a DSP TMS320C6201," Crytographic Hardware and Embedded Systems—Ches '99 (1999), C.K. Kock and C. Paar, Eds., vol. 1717 of Lecture Noges in Computer Science, p. 61-72.
14Izu et al., "A fast parallel elliptic curve multiplication resistant against side channel attacks," Public Key Cryptography-PKC 2002 (2002), ), D. Naccache and P. Paillier, Eds., vol. 2274 of Lecture Notes in Computer Science, p. 280-296.
15Izu et al., "A fast parallel elliptic curve multiplication resistant against side channel attacks," Public Key Cryptography—PKC 2002 (2002), ), D. Naccache and P. Paillier, Eds., vol. 2274 of Lecture Notes in Computer Science, p. 280-296.
16Izu, T., and Takagi, T. "A fast parallel elliptic curve multiplication resistant against side channel attacks." In Public Key Cryptography-PKC 2002 (2002), D. Naccache and P. Paillier, Eds., vol. 2274 of Lecture Notes in Computer Science, pp. 280-296, 2000.
17Izu, T., and Takagi, T. "A fast parallel elliptic curve multiplication resistant against side channel attacks." In Public Key Cryptography—PKC 2002 (2002), D. Naccache and P. Paillier, Eds., vol. 2274 of Lecture Notes in Computer Science, pp. 280-296, 2000.
18Joye et al., "Protections against Differential Analysis for Elliptic Curve Cryptography-An Algebraic Approach," Springer-Verlag Heidelberg, ISSN: 0302-9743, vol. 2162/2001, p. 377-390.
19Joye et al., "Protections against Differential Analysis for Elliptic Curve Cryptography—An Algebraic Approach," Springer-Verlag Heidelberg, ISSN: 0302-9743, vol. 2162/2001, p. 377-390.
20Joye, Marc, et al., "Protections against Differential Analysis for Elliptic Curve Cryptography-An Algebraic Approach", Springer-Verlag Heidelberg, ISSN: 0302-9743, vol. 2162/2001, pp. 377-390, 2000.
21Joye, Marc, et al., "Protections against Differential Analysis for Elliptic Curve Cryptography—An Algebraic Approach", Springer-Verlag Heidelberg, ISSN: 0302-9743, vol. 2162/2001, pp. 377-390, 2000.
22Knuth, D. E. The Art of Computer Programming-vol. 2: Seminumerical Algorithms (2nd ed.). Addison-Wesley, 1981 (book 704 pages).
23Knuth, D. E. The Art of Computer Programming—vol. 2: Seminumerical Algorithms (2nd ed.). Addison-Wesley, 1981 (book 704 pages).
24Knuth, D. E. The Art of Computer Programming-vol. 2: Seminumerical Algorithms (3rd ed.). Addison-Wesley, 1998 (book 800 pages).
25Knuth, D. E. The Art of Computer Programming—vol. 2: Seminumerical Algorithms (3rd ed.). Addison-Wesley, 1998 (book 800 pages).
26Kocher et al., "Differential power analysis," Advances in Cryptology-Crypto '99 (1999), M. Wiener, Ed., vol. 1666 of Lecture Notes in Computer Science, p. 388-397.
27Kocher et al., "Differential power analysis," Advances in Cryptology—Crypto '99 (1999), M. Wiener, Ed., vol. 1666 of Lecture Notes in Computer Science, p. 388-397.
28Kocher, P.C., "Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems," Advances in Cryptology-Crypto '96 (1996), N. Koblitz, Ed., vol. 1109 of Lecture Notes in Computer Science, p. 104-113.
29Kocher, P.C., "Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems," Advances in Cryptology—Crypto '96 (1996), N. Koblitz, Ed., vol. 1109 of Lecture Notes in Computer Science, p. 104-113.
30Möller, B., "Parallelizable elliptic curve point multiplication method with resistance against side-channel attacks," Information Security-ISC 2002 (2002), A.H. Chan and V. Gilgor, Eds., vol. 2433 of Lecture Notes in Computer Science, p. 402-413.
31Möller, B., "Securing elliptic curve point multiplication against side-channel attacks, addendum: Efficiency Improvement," http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/ecc-sca-isc01.pdf, 2001.
32Möller, B., "Securing Elliptic Curve Pointy Multiplication against Side-Channel Attacks," Information Security-ISC 2001.
33Möller, B., "Parallelizable elliptic curve point multiplication method with resistance against side-channel attacks," Information Security—ISC 2002 (2002), A.H. Chan and V. Gilgor, Eds., vol. 2433 of Lecture Notes in Computer Science, p. 402-413.
34Möller, B., "Securing Elliptic Curve Pointy Multiplication against Side-Channel Attacks," Information Security—ISC 2001.
35Montogomery, P.L., "Speeding the Pollard and elliptic curvemethods of factorization," Mathematics of Computation, 1987, 48(177), p. 243-264.
36Paralleizable Elliptic Curve Point Multiplication Method with Resistance against Side-Channel Attacks, ISC 2002.
37Schindler, W., "A combined timing and power attach," Public Key Cryptography-PKC 2002 (2002), ), D. Naccache and P. Paillier, Eds., vol. 2274 of Lecture Notes in Computer Science, p. 263-297.
38Schindler, W., "A combined timing and power attach," Public Key Cryptography—PKC 2002 (2002), ), D. Naccache and P. Paillier, Eds., vol. 2274 of Lecture Notes in Computer Science, p. 263-297.
39Walter et al., "Distinguishing exponent digits by observing modular subtractions," Progress in Cryptology-CT-RSA 2001 (2001), ), D. Naccache, Ed., vol. 2020 of Lecture Notes in Computer Science, p. 192-207.
40Walter et al., "Distinguishing exponent digits by observing modular subtractions," Progress in Cryptology—CT-RSA 2001 (2001), ), D. Naccache, Ed., vol. 2020 of Lecture Notes in Computer Science, p. 192-207.
41Yao, A.C.-C., "On the evaluation of powers," SIAM Journal on Computing, vol. 5, 1976, p. 100-103.
Classifications
U.S. Classification380/30
International ClassificationG06F7/72, H04K1/00
Cooperative ClassificationG06F2207/7228, G06F7/725, G06F2207/7223
European ClassificationG06F7/72F1
Legal Events
DateCodeEventDescription
Mar 19, 2009ASAssignment
Owner name: WIRED CONNECTIONS LLC, DELAWARE
Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:TU DARMSTADT (TECHNICAL UNIVERSITY OF DARMSTADT);REEL/FRAME:022423/0747
Effective date: 20060816
Jul 10, 2012CCCertificate of correction
Feb 25, 2015FPAYFee payment
Year of fee payment: 4
Oct 27, 2015ASAssignment
Owner name: BENHOV GMBH, LLC, DELAWARE
Free format text: MERGER;ASSIGNOR:WIRED CONNECTIONS LLC;REEL/FRAME:036892/0693
Effective date: 20150811